Skip to content

Document and automate workload identity permissions for deployment#5

Open
awood-ops wants to merge 1 commit into
mainfrom
feature/grant-workload-identity-access
Open

Document and automate workload identity permissions for deployment#5
awood-ops wants to merge 1 commit into
mainfrom
feature/grant-workload-identity-access

Conversation

@awood-ops

Copy link
Copy Markdown
Owner

Summary

  • Documents the permissions a deploy workload identity needs to provision these resources: Contributor at resource-group scope, one-time subscription-scope rights to register Microsoft.DevCenter/Microsoft.DevOpsInfrastructure, and Azure DevOps org-level membership of DevOps Infrastructure Pool Administrators (a separate permission system from Azure RBAC).
  • Adds scripts/Grant-WorkloadIdentityAccess.ps1 to automate granting all of the above — idempotent, -WhatIf supported, with separate flags for the production deploy identity vs. the e2e test identity (-IncludeSubscriptionScope -SkipAdoGroupMembership).
  • Recommends workload identity federation over the classic secret-based service connection in docs/Getting-Started.md.

Test plan

  • Get-Help ./scripts/Grant-WorkloadIdentityAccess.ps1 -Full renders correctly
  • Run with -WhatIf against a real subscription/SP to confirm the planned actions look right
  • Run for real against the prod deploy SP, confirm Contributor lands at RG scope only
  • Run with -IncludeSubscriptionScope -SkipAdoGroupMembership for the e2e identity, confirm subscription-scope Contributor
  • Verify ADO group membership step against a real org, or fall back to the manual steps if the CLI path doesn't apply cleanly

Callout: the deploy identity behind Azure-Service-Connection (and the
separate e2e GitHub OIDC app) needs Contributor at resource-group scope,
one-time subscription-scope rights to register Microsoft.DevCenter and
Microsoft.DevOpsInfrastructure, and Azure DevOps org-level membership of
"DevOps Infrastructure Pool Administrators" -- Azure RBAC alone isn't
enough since ADO permissions are a separate system.

Adds scripts/Grant-WorkloadIdentityAccess.ps1 to automate granting all
of the above (idempotent, -WhatIf supported), and documents the
permissions table plus recommends workload identity federation over
the classic secret-based service connection in docs/Getting-Started.md.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant